Bug 219214 - [LSPP / Audit] mq_open and mq_unlink a0 off-by-1
[LSPP / Audit] mq_open and mq_unlink a0 off-by-1
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Kernel Manager
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-11 17:33 EST by Michael C Thompson
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-12 09:16:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Testcase (954 bytes, application/octet-stream)
2006-12-11 17:33 EST, Michael C Thompson
no flags Details

  None (edit)
Description Michael C Thompson 2006-12-11 17:33:48 EST
Description of problem:
sys_mq_open and sys_mq_unlink's u_name argument (arg0) is being recorded
incorrectly in the audit log. The value is seemingly off by 1 (+1) in the audit log.

Version-Release number of selected component (if applicable):
This is taking place on the lspp.57 kernel.

How reproducible:
See test.c

Steps to Reproduce:
1. auditctl -a entry,always -S mq_open
2. auditctl -a entry,always -S mq_unlink
3. Execute attached testcase and compare against audit log.


Actual results:
>>> Actual Record (fields relevant to syscall)
Time 1165854560 - Serial_No 208
SYSCALL: arch=c000003e syscall=241 success=yes exit=0 a0=411921 
a1=7fff7c9f81f0 a2=457d875f a3=8 ppid=1703 pid=2269 auid=-1 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023 
key=(null)


Expected results:
>>> Expected Record (fields relevant to syscall)
SYSCALL: arch=c000003e syscall=241 success=yes exit=0 a0=411920 
a1=7fff7c9f81f0 a2=457d875f a3=8 ppid=1703 pid=2269 auid=-1 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023 
key=(null)
Comment 1 Michael C Thompson 2006-12-11 17:33:48 EST
Created attachment 143346 [details]
Testcase
Comment 2 Steve Grubb 2006-12-12 09:15:59 EST
 The mq_open / mq_unlink problem (audit record == pointer + 1) is due to
the way glibc implements mq_open, and is not a kernel bug.

 From ./sysdeps/unix/sysv/linux/mq_open.c in GLibc...

mqd_t
mq_open (const char *name, int oflag, ...)
{
  if (name[0] != '/')
    {
      __set_errno (EINVAL);
      return -1;
    }
[...]
  return INLINE_SYSCALL (mq_open, 4, name + 1, oflag, mode, attr);
}

...as you can see, when the API is passed "/foo" glibc removes the /
giving the kernel just "foo".
Comment 3 Steve Grubb 2006-12-12 09:16:55 EST
I am going to close this as not a bug since its an explained condition.

Note You need to log in before you can comment on or make changes to this bug.